SaaS Security Requires Shared Responsibility

MBA (5/29/2008 ) Palaparty, Vijay
Increasing software-as-a-service adoption raises questions about application security and responsibility. Regardless of SaaS vendors’ security practices, issues such as network and data security require equal interest and attention from businesses engaging SaaS applications.
“SaaS is ideally electronic collaboration between partners—vendors and clients,” said Richard Johnston, president of Acris Solutions, Laguna Hills, Calif. “As a vendor, our goal is to implement a higher degree of security but we often find that a desire for speed and ease from clients limits what we could offer them in terms of security. We push everyone down to username- and password-level security. It’s is a question how we offer protection to our clients as well as well as denial of service to hackers. It’s more of a challenge being a web-based service provider.”

Johnston said some security practices among clients leave them highly vulnerable, mainly because they seek speed and ease in implementation and use. He said the security measures do not pose threats to the vendor company but can be disastrous to the client.

“Speed and ease are the primary reasons companies remain vulnerable,” Johnston said. “Another reason is more common among larger companies that are not quick to react to employee terminations within the company. Once every quarter our company monitors clients’ accounts to review which ones are inactive and report our findings to our clients. But in trying to be proactive, it raises a question of how much handholding to do."

Part of the reason for these security holes occur is because higher-level executives hardly ever go into these systems, Johnston said. "We do want to prevent disasters—it’s pure simplicity—by providing protection at a higher level. It’s challenging, however. There is resistance and that’s the crux of it. It’s also an issue of a lack of human resources within companies to make security a priority.”

Andrew Weiss, CTO and COO of Overture Technologies, Bethesda, Md., said clients are primarily responsible for their overall security. “These security practices will certainly not include all possible measures which clearly makes SaaS vendors responsible as well," he said. "Frequently, it is through contracts with customers that vendors achieve the highest-level of security.

Weiss said SaaS provides a higher level of security to smaller customers. “Regardless legality of the matter, working with SaaS tends to upgrade smaller customers’ overall level of security," he said. "For larger businesses—those with a higher level of resources and consciousness—it doesn’t really change the level of security but may change the way they view security.”

John Sirvydas, CTO of Zaio Corp., Scottsdale, Ariz., said that from a vendor perspective, lenders and other financial institutions have security requirements and it’s a matter of aligning the vendor systems to those requirements.

“It’s a shared responsibility,” Sirvydas said. “The typical process requires going through a phase where requirements are outlined and then implemented. This is followed up by a quarterly or yearly audit to review what is in place.”

Sirvydas said customers are vested in security measures because it ultimately results in a seamless environment between lenders, vendors and customers. “Security involves wire security and transmission security—the authentication process of who is being identified and what they are allowed to do once identified,” he said. “That is part of internal network security and the security of data. There are also physical security of the machines, business continuity and software processes issues to consider.”

A recent paper from Trend Micro Inc., Cupertino, Calif., said SaaS is well-suited for security applications—to host security applications as SaaS, providing real-time security over the internet.

“Today a large number of updates must be pushed to customers every day to keep pace with rapidly changing threats,” said John Maddison, vice president of core technology solutions at Trend Micro and author of the report, SaaS for Network Security, An Application Delivery Model that Enables Real-Time Protection. “But merely updating on-site solution filtering is no longer sufficient due to the increases sophistication, number of variants and sheer volume of malware and spam.”

Maddison said because of the quantity of threats, scanning all threats on the network would require infrastructure requirements and impact resources. “Reputation services have become a critical component of internet threat protection,” he said.

In terms of network security, reputation services examine the sources of internet communications. If the source has a bad reputation, then communication is blocked before it even reaches the network. Micro Trend sees such service existing as an in-the-cloud technology that works across customers in a SaaS format.

“Providing information quickly is important,” Maddison said. “Effective security must provide protection against all of the threat components as the attack emerges. Threats are often localized to certain regions or start in one part of the world and expand across the globe. As reputation information for one aspect of an attack is detected, intelligence is provided across protocols to provide comprehensive protection to customers around the world.”